Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

2015-02-17 Thread Chuck Mariotti 
>That's definitely the cable modem's NAT getting confused. If you can get the 
>phones to randomize their source ports on their OpenVPN traffic, that might 
>resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, 
>specifying "lport 0" >in the config will make it choose a random port. I'm not 
>sure if that's configurable for the Yealink phones though. We disable that 
>automatically in our OpenVPN client export for Yealink because they didn't 
>support it at least up until recently.

>If you can change the modem to bridge mode to pass through the public IP to a 
>router of some sort that will properly handle that circumstance, it'll resolve 
>that. That might be hit or miss with consumer-grade routers. A completely 
>default pfSense >config will work fine in that circumstance, as it'll 
>randomize the source ports on its own so the phones don't have to.


Thanks Chris, I've emailed Yealink support but it seems they are "off" until 
mid-next week (Chinese New Year).
Not sure what to do, purchase a 3rd party router to see if solves the problem 
or if I should wait to see what Yealink's answer is first.

Reading up on the modem seems like bridge mode is a little problematic... maybe 
a call to the cable provider first to see options.

Thanks Again,

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

2015-02-17 Thread Chris Buechler 
On Tue, Feb 17, 2015 at 11:13 PM, Chuck Mariotti  wrote:
>>Think you forgot the logs. That should be enough of a summary to have a good 
>>idea though.
>
>>What's the firewall/router/NAT device on the network where the 3 phones 
>>reside? That sounds like what could happen with a NAT device that doesn't 
>>handle UDP well. Some consumer-grade routers and some NAT implementations 
>>built into >DSL/cable modems can have problems handling long-lived UDP 
>>connections especially where multiple devices are being NATed out to a single 
>>destination IP and port.
>
> And here is the log below... argh.
> The devices are behind a 256Mbit cable modem... Any suggestions on how to 
> resolve if that is the case? 3rd party router?
>
> Feb 17 22:35:49 openvpn[78847]: Phone-Ext213/172.172.172.66:1086 
> send_push_reply(): safe_cap=940
> Feb 17 22:35:47 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.14, 
> IPv6=(Not enabled)
> Feb 17 22:35:47 openvpn[78847]: 172.172.172.66:1086 [Phone-Ext213] Peer 
> Connection Initiated with [AF_INET]172.172.172.66:1086
> Feb 17 19:50:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 
> send_push_reply(): safe_cap=940
> Feb 17 19:50:42 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 MULTI_sva: 
> pool returned IPv4=10.9.12.18, IPv6=(Not enabled)
> Feb 17 19:50:42 openvpn[78847]: 172.172.172.66:1194 [Phone-Ext212] Peer 
> Connection Initiated with [AF_INET]172.172.172.66:1194
> Feb 17 19:49:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
> local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [0]
> Feb 17 19:49:37 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 TLS Auth 
> Error: TLS object CN attempted to change from 'Phone-Ext212' to 
> 'Phone-Ext211' -- tunnel disabled
> Feb 17 19:49:37 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Auth 
> Error: TLS object CN attempted to change from 'Phone-Ext211' to 
> 'Phone-Ext212' -- tunnel disabled

That's definitely the cable modem's NAT getting confused. If you can
get the phones to randomize their source ports on their OpenVPN
traffic, that might resolve. I'm not sure if that's possible on those
phones. In stock OpenVPN, specifying "lport 0" in the config will make
it choose a random port. I'm not sure if that's configurable for the
Yealink phones though. We disable that automatically in our OpenVPN
client export for Yealink because they didn't support it at least up
until recently.

If you can change the modem to bridge mode to pass through the public
IP to a router of some sort that will properly handle that
circumstance, it'll resolve that. That might be hit or miss with
consumer-grade routers. A completely default pfSense config will work
fine in that circumstance, as it'll randomize the source ports on its
own so the phones don't have to.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

2015-02-17 Thread Chuck Mariotti 
>Think you forgot the logs. That should be enough of a summary to have a good 
>idea though.

>What's the firewall/router/NAT device on the network where the 3 phones 
>reside? That sounds like what could happen with a NAT device that doesn't 
>handle UDP well. Some consumer-grade routers and some NAT implementations 
>built into >DSL/cable modems can have problems handling long-lived UDP 
>connections especially where multiple devices are being NATed out to a single 
>destination IP and port.

And here is the log below... argh.
The devices are behind a 256Mbit cable modem... Any suggestions on how to 
resolve if that is the case? 3rd party router?

Feb 17 22:35:49 openvpn[78847]: Phone-Ext213/172.172.172.66:1086 
send_push_reply(): safe_cap=940
Feb 17 22:35:47 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.14, 
IPv6=(Not enabled)
Feb 17 22:35:47 openvpn[78847]: 172.172.172.66:1086 [Phone-Ext213] Peer 
Connection Initiated with [AF_INET]172.172.172.66:1086
Feb 17 19:50:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 
send_push_reply(): safe_cap=940
Feb 17 19:50:42 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 MULTI_sva: 
pool returned IPv4=10.9.12.18, IPv6=(Not enabled)
Feb 17 19:50:42 openvpn[78847]: 172.172.172.66:1194 [Phone-Ext212] Peer 
Connection Initiated with [AF_INET]172.172.172.66:1194
Feb 17 19:49:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [0]
Feb 17 19:49:37 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 TLS Auth 
Error: TLS object CN attempted to change from 'Phone-Ext212' to 'Phone-Ext211' 
-- tunnel disabled
Feb 17 19:49:37 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Auth 
Error: TLS object CN attempted to change from 'Phone-Ext211' to 'Phone-Ext212' 
-- tunnel disabled
Feb 17 19:49:31 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:27 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:25 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:20 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:18 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:18 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:18 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:15 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:09 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:49:05 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:05 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:49:01 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:48:57 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:48:55 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:50 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:48:48 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:48 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:48 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 19:48:45 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
Authenticate/Decrypt packet error: packet HMAC authentication failed
Feb 17 19:48:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3]
Feb 17 16:35:45 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 
send_push_reply(): safe_cap=940
Feb 17 16:35:42 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.18, 
IPv6=(Not enabled)
Feb

Re: [pfSense] Fwd: Running Out of /var

2015-02-17 Thread Chris Buechler 
On Mon, Feb 16, 2015 at 6:35 AM, Thomas Guldener  wrote:
> $ ls -l /var/dhcpd/var/db
> total 33728
> -rw-r--r--  1 dhcpd  _dhcp 0 Feb 16 12:50 dhcpd.leases
> -rw-r--r--  1 root   _dhcp  1193 Feb 16 12:50 dhcpd.leases~
> -rw-r--r--  1 dhcpd  _dhcp 28661 Feb 16 13:11 dhcpd6.leases
> -rw-r--r--  1 dhcpd  _dhcp  17203155 Feb 16 13:11 dhcpd6.leases~

Wow, that is a huge dhcpd6.leases~ file. You happen to make note of
its contents before disabling?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

2015-02-17 Thread Chris Buechler 
On Tue, Feb 17, 2015 at 9:50 PM, Chuck Mariotti  wrote:
> I have 4 Yealink T46G phones, 3 on one network (problematic), 1 on a
> separate network… all phones are OpenVPNing into pfSense box at datacenter…
> then using a phone system through the OpenVPN connection.
>
> The problematic location keeps having issues with phones not receiving calls
> or making calls… as well as call quality issues. Rebooting the phones solves
> the problems.
>
> The OpenVPN logs contain a number of TLS Errors (TLS keys are out of sync)…
> as well as Auth/Decript errors (packet HMAC authentication failed). Logs are
> below.

Think you forgot the logs. That should be enough of a summary to have
a good idea though.

What's the firewall/router/NAT device on the network where the 3
phones reside? That sounds like what could happen with a NAT device
that doesn't handle UDP well. Some consumer-grade routers and some NAT
implementations built into DSL/cable modems can have problems handling
long-lived UDP connections especially where multiple devices are being
NATed out to a single destination IP and port.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suddenly getting pfi_table_update errors

2015-02-17 Thread Chris Buechler 
On Tue, Feb 17, 2015 at 10:22 PM, Bryan D.  wrote:
> I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5 
> GB of memory that always shows <50% used.
>
> This setup has normally been reliable but, since upgrading to 2.1.5, today is 
> the 4th time I've run into a problem after making changes to some aliases.  
> For some reason that I've been unable to see much pattern to, pfSense will 
> suddenly report a rash of errors similar to:
> ---
> [ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument 
> - The line in question reads [0]: ]
> ---
> and/or an error indicating that it can't allocate memory (but there's over 
> 50% reported as being available).
>
>
> When this happens, the following kind of error will occur during the reboot 
> while first configuring the firewall ...
> ---
> pfi_table_update cannot set  new addresses into table : 
> ---
> where "" varies, even with the same config being rebooted, and seems to 
> be either an interface name or "self".  The error continues to recur with a 
> considerable "blocking" pause (up to 10's of seconds) each time it 
> (apparently) attempts a reload.
>

It sounds like something in 32 bit isn't happy with very large table
sizes. Can't say we've tried large tables on 32 bit, nor do I know of
others who have offhand. Where there is a need for large table sizes,
you're almost always running 64 bit hardware and the 64 bit version.
Is that not a 64 bit CPU? If it is, reinstalling with 64 bit and
restoring your backup should be a quick, proven solution.

If you wouldn't mind sharing your aliases, email that portion of your
config to me off-list.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Suddenly getting pfi_table_update errors

2015-02-17 Thread Bryan D . 
I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5 
GB of memory that always shows <50% used.

This setup has normally been reliable but, since upgrading to 2.1.5, today is 
the 4th time I've run into a problem after making changes to some aliases.  For 
some reason that I've been unable to see much pattern to, pfSense will suddenly 
report a rash of errors similar to:
---
[ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument - 
The line in question reads [0]: ]
---
and/or an error indicating that it can't allocate memory (but there's over 50% 
reported as being available).


When this happens, the following kind of error will occur during the reboot 
while first configuring the firewall ...
---
pfi_table_update cannot set  new addresses into table : 
---
where "" varies, even with the same config being rebooted, and seems to 
be either an interface name or "self".  The error continues to recur with a 
considerable "blocking" pause (up to 10's of seconds) each time it (apparently) 
attempts a reload.


I've handled this issue by restoring the most recently saved config.xml (I save 
these _very_ often, now!) and it's been "good to go" .. after which I can 
remake the changes and all has been good.

However, today that strategy didn't work.  After restoring the previously saved 
config.xml. which had been running without issues for about a day, the 
"pfi_table_update" problems remained after rebooting.


Thinking it might be a disk-corruption and/or hardware issue, I built another 
system (with similar resources) and tested it.  The same config fails in an 
equivalent way.


QUESTION: Can anyone shed some light on how I might troubleshoot this issue?

QUESTION: Does anyone know what's getting loaded when the message
---
There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument - 
The line in question reads [0]
---
is being issued? ... if I could see the rule that's giving the problem, maybe 
that'd lead somewhere useful.


Other things I've done, without result ...

Of course I asked Mr. Google and searched the pfSense bug tracker for 
pfi_table_update, all without results.

I scanned the disk for an operation called pfi_table_update
(find / -type f -exec fgrep -l pfi_table_update {} \;)
but came up empty-handed so I assume this is not a php/pfSense routine.

My first thought when it occurred was that the config.xml file had become 
corrupted, but I've never found any evidence of that.  I've always compared the 
failed config to the successfully reverted config and found no clues (lately, 
since I save configs so often, there's only been 2 or 3 changes).  The only 
thing that's been consistent is that the problem always "pops up" (literally!) 
after editing aliases and the rules are being reloaded.

I'm always careful to change aliases in a way that works from the bottom of the 
dependencies "up" (when applicable) and, though I do have aliases that include 
other aliases, I doubt there's anything unusual in either structure or number 
of aliases I have configured (84 host/network aliases, 67 port aliases and 63 
URL aliases).

The only thing (related to the aliases) that may be unusual is that I have 
about 10 large URL tables (70K entries, each) and have things configured for 
250 tables (currently <100) and 2,500,000 table entries (currently about 680K 
entries).  It's the tables that consume memory, not states, in our case.

Any ideas?#;-)

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

2015-02-17 Thread Chuck Mariotti 
I have 4 Yealink T46G phones, 3 on one network (problematic), 1 on a separate 
network... all phones are OpenVPNing into pfSense box at datacenter... then 
using a phone system through the OpenVPN connection.

The problematic location keeps having issues with phones not receiving calls or 
making calls... as well as call quality issues. Rebooting the phones solves the 
problems.

The OpenVPN logs contain a number of TLS Errors (TLS keys are out of sync)... 
as well as Auth/Decript errors (packet HMAC authentication failed). Logs are 
below. Can anyone shed some light on what might be happening here?

Regards,

Chuck

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Problem allowing traffic from external OpenVPN clients to LAN systems

2015-02-17 Thread Fred Boiteux 
Hello,

  I'm using PfSense 2.1.4 on an Alix system with 3 networks, one WAN
and two different LANs.

 On this PfSense box, I've setup two OpenVPN VPNs, in peer-to-peer mode
with pre-shared keys, one with a TCP access, the other with more
classical UDP. For these two VPNs, I have external clients (not
running PfSense, but OpenVPN) which successfully connect to my PfSense
box. From my system, located on a private LAN connected to one of the
two PfSense's LAN interfaces (I'm using gateways to send back traffic
to this private lan), I can access to Internet, and also to the
client OpenVPN systems, and their private LANs as I added routes for
this in the OpenVPN configuration.

I would like now to access my system from these client OpenVPN systems,
but it doesn't work now, and I don't understand why :
I can do 'ping ', the ping get an answers, but
if I try an SSH connection, I can't access to my local system from
these client OpenVPN systems, and on the PfSense box, when looking in
Firewall tab in Status->System logs, filtering on my private LAN
address/port 22, I find the connection packets (TCP Syn) are blocked :


Act TimeIf  Source  Destination Proto
block   Feb 17 12:29:14 ovpns2  10.0.9.2:42233  172.22.22.41:22 
TCP:S

When clicking on the 'block' icon, I get :
The rule that triggered this action is:
@5 block drop in log inet all label "Default deny rule IPv4"
 
I've tried to allow any traffic from the OpenVPN networks in Firewall Rules 
without change. If I try also the 'Easy Rule' in System Logs/Firewall to add a 
rule to allow this connections, it doesn't change, the connections are still 
blocked :-(

I didn't use named interface for OpenVPN servers, could it be helping for my 
problem ?

If you have any advice, or need more information, please tell me !

  With regards,
Fred.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold